Skip Ribbon Commands
Skip to main content
Sign In
Search Policy Site
Pacific Logo

Information Security Education and Awareness Policy


Purpose

The purpose of this policy is to ensure that any user who has access to the University of the Pacific's information technology-based resources understands Pacific's applicable information security policies and a verified understanding of information security awareness.

Applicability

This policy applies to all University of the Pacific employees, contractors, and volunteers, including faculty, staff, coaches, administrators,  students and temporary employees who have access to Pacific's information technology based resources.

Policy

Individuals must understand the risks in using today's technology and how to effectively defend against today's cyber threats, both at work and at home. The primary purpose of an effective information security education and awareness program is to establish and sustain an appropriate level of protection for data and technology resources by increasing users' awareness of their information security responsibilities. Specific objectives of this program include:

 

  • Improving awareness of the need to protect information resources
  • Ensuring that users clearly understand their responsibilities for protecting information resources
  • Ensuring that users are knowledgeable about the Pacific's information security policies
  • Develop skills and knowledge so they can perform their jobs securely

 

All University of the Pacific employees, contractors, and volunteers, including faculty, staff, coaches, administrators, students and temporary employees must complete information security awareness education and training with respect to Pacific's information security policies upon hire in concert with other training required by the University.   All employees, contractors and volunteers with access to Payment Card Industry (PCI), Health Insurance Portability and Accountability Act 1996 (HIPAA), or other specified categories of regulated data will receive annual training to meet regulatory requirements.  All employees, contractors, and volunteers without access to specified data categories will receive bi-annual training.  Pacific will maintain records, as it deems appropriate, that confirm a user has received training. Training may be delivered in person or online. In addition to annual training, reinforcement training such as newsletters, email messages, digital signage, posters, webcasts and other means will be used on campus. The Information Security Education and Awareness program may also include unscheduled awareness assessments to ensure compliance with the policy.

 

Compliance

  • Measurement – 90% of all faculty and staff will receive training at least bi-annually and 100% of all new employees with receive training within 30 days of starting at Pacific.

 

  • Exceptions

 

    • Granting of an Exception - Exceptions to the Information Technology Policies will only be granted if an appropriate justification for the exception is approved and the person responsible for that area of information management, the appropriate Information Administrator, accepts the additional risk and/or responsibilities posed by the exception.

 

    • Applying for an Exception - To apply for an exception to an Information Technology Policy, the individual will prepare a written request for the exception (email is acceptable), along with a justification, and deliver the request to the Chief Information Security Officer (CISO). The CISO will work with the individual and appropriate unit IT personnel to find an alternative that complies with current policy. 

 

    • Arbitrating a Denial - If the matter cannot be promptly resolved to the satisfaction of all parties, the request for exception will be presented to the full Information Strategy and Policy Committee (ISPC) along with appropriate analysis by the University IT Security Officer and unit IT leadership.   The CIO, with advice from the ISPC, is the final arbitrator of all exceptions to security policies.  The University Information Security Office will maintain a record of all exception requests, their resolution and any accompanying documentation.  This record will be made available to the ISPC to assist in the review and revision process for these policies.

Violations

It is the responsibility of each User to understand their privileges and responsibilities under Information Technology Policies and to act accordingly. 

Users failing to abide by these policies may be subject to corrective action up to and including, dismissal, expulsion, and/or legal action by the University.  While technical corrective action, including limiting user activity or removing information, may be taken in emergency situations by authorized Information Technology staff, other corrective action, technical and/or non-technical, will be taken in accord with applicable University policies and procedures.

Contact Information

Contact IT Security


About This Policy
Last Updated
8/23/2018
Original Issue Date
8/23/2018

Responsible Department
Information Technology